Overview

overview

10

Static

static

3

6859dc21d5...cs.exe

windows7-x64

10

6859dc21d5...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6859dc21d5a1080edcd6827a70e22c20_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    6859dc21d5a1080edcd6827a70e22c20

  • SHA1

    916f841f25485242d9a60f9f030dbd9ee7d61668

  • SHA256

    9341cc1bd3785bbab93d9bccd5b64e3dee929db7dc7538df5cbbedd174b0d669

  • SHA512

    4ca2f4b8c484a379ee75c12d61a6cda8e2cf7b436dcc073c9cc0cefaa476e5b8c3820fec80166b4046f6c53c6276556b00898c8cb2b60d0dca6d093e1639c688

  • SSDEEP

    768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nEk:zAwEmBZ04faWmtN4nic+6Gk

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6859dc21d5a1080edcd6827a70e22c20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6859dc21d5a1080edcd6827a70e22c20_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2724
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1360
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5032
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3712
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2884
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4752
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

6
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    efce05215375c79a0049bb890c2cc7c7

    SHA1

    04aae26fa81308dea6716838edf48575cb7d0dee

    SHA256

    f4a49bd0e6e4330f29383d6d2d56c642a1d42ee373ba4e24e423c9f2a9e5bccd

    SHA512

    a24851b0388743284ac8b756d08731b6a6f9cebd2164876249fbe728d697eaa5bd37db75bb3df2eba9b696dccdbe2004c11d20cbc1ba7cfbb2a83685bcc4427b

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    601f1e2feeff5181549307051727f7dd

    SHA1

    14d4e72fd6f034d798a1f32f84be2b7022704b76

    SHA256

    284dbcd1c9361ace28bbd1b364d3c70af74852929fbbc1f6fd62e5ca073f37ef

    SHA512

    69520c0985f1d883cbe9fc5c155d5c85f95802fe1f1b6457b13b51778b0dc1be7b3066c29da9b1db4ced67727072d76c902ce4c2b1c2048a7bc876e0a3769eb9

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    6af97d6d2c27a463a9bb0de730b49799

    SHA1

    91f231c6523b5433e876b38a33082e22b08c4af2

    SHA256

    0b4a5c8fc843a506e7cfc0a4de9ade8924876aa024d1d256607c1a20be4eabe0

    SHA512

    2d6738b8340c6c59b6f1e302a9ee358ffa303cf0e02007d2cf59a5553efae36a55951f36344d5a53fd0a2ecef1340a1aff8296a48edd8335ee7a4e7c1c982840

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    08210fac9d1f8032dcc4f6aa3ef4d551

    SHA1

    79e2d2a6a56d628d46c544994c14e29d3d48b57e

    SHA256

    920a6186ea047f54e134b28bc659752da32ab31b0d6633ce800d92ef8718323d

    SHA512

    74e67bd3081227194715784ca5246e81e151d4f80462698ba5ab9f69b58db1c41958392ee9fac8ff6862f29e2250b9be9e4f0b414880089141e116d725ace8ba

    Download Submit
  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    45KB

    MD5

    6859dc21d5a1080edcd6827a70e22c20

    SHA1

    916f841f25485242d9a60f9f030dbd9ee7d61668

    SHA256

    9341cc1bd3785bbab93d9bccd5b64e3dee929db7dc7538df5cbbedd174b0d669

    SHA512

    4ca2f4b8c484a379ee75c12d61a6cda8e2cf7b436dcc073c9cc0cefaa476e5b8c3820fec80166b4046f6c53c6276556b00898c8cb2b60d0dca6d093e1639c688

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    2e633a9e04cf9775e867e22dc50323f2

    SHA1

    dbfdda070cdc2bb978678c495f2f6e2d468a92fd

    SHA256

    0409d9af648b8bce1838398b3b73a74056e8d06927ffb02669a42ce0a8267438

    SHA512

    be74fc1db30663884ad288db1d3b6bdb1aaa36dbf95e9507f8f5bb6d882df3ea1926aab3a43dcfec87e57af0dacbda769112db74ffcdcb943fe1004ee5e1c5f5

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    cd1ed431dbe9214dc9fdc22fe897ce32

    SHA1

    e4394577e6cee10fd20f37d998a99970bb0aa18d

    SHA256

    dd5c6fdc612428c74a21c7b8500e2710b65b48c49ed6c3127ebd7297227c8b1a

    SHA512

    fc192874a0c2b401255ddb6daf04cbd997db6e301ad40489b00265decc03a3fb424c7d97d18360ac1df7f5f6885be68d32515cee16fe77083d8ce96870941623

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    88e050c5001a9267ba511ea126c8b1ac

    SHA1

    b3efa354d0c70ea17f039386dd7267e177e3a4e3

    SHA256

    829c380c11772d1775dc387c3f10d5f7c46112775f37930c4a41eda002416081

    SHA512

    1546f787b48af86953bc2d694d46af69a4d116aab81f1ee1a0de972cb377ef0ead8973472e908644bc64e8485c980b6eeded36441f8289e737550d717ce3e2d4

    Download Submit
  • memory/608-140-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1360-111-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1476-152-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2724-0-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2724-154-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2884-134-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3712-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4752-145-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/5032-118-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/5032-114-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download